Graph Security Endpoint Throwing An Http 403 With Adaljs

Trying to build a client-side app using the Microsoft Graph Security API. We've made the grants in the Azure Portal, granted Admin Consent, and the JWT is showing the scopes are pr

Solution 1:

It looks like your app has the correct scopes, but the user that is requesting alerts from the Microsoft Graph Security API does not have a Security reader role in Azure AD.

To add roles to users, sign in to Azure portal as the tenant admin then select the Azure Active Directory blade > Users > select the name of the user > Directory Role > and then select Add role.

Once the user has access to read security information, they should be able to receive alerts through the Microsoft Graph Security API.

Source: https://docs.microsoft.com/graph/security-authorization#assign-azure-ad-roles-to-users

Solution 2:

I’ve been working behind-the-scenes with some MS DEV resources, and we believe we’ve tracked down why this doesn’t work.

Taken from an email:

The implicit grant in through AAD uses response_mode=fragment by default. Once the response mode is changed to response_mode=form_post the id token ,and access token if requested, are sent as a POST request and contain the wids claim which allows the Graph API security endpoints to be used.

The workaround proposed there was to basically build a server-side app that would catch the POST request that would have the roles, then use that to call the Graph Security API.

This works, but basically means implicit flow client side apps are essentially incompatible with the Graph Secuirty API. Super frustrating and extremely difficult to track down from the documentation.

Hopefully there is some other mechanism MS can come up with.